b'                                              OFFICE OF THE ASSISTANT\n                                              SECRETARY FOR ADMINISTRATION\n                                              AND MANAGEMENT\nOffice of Inspector General\xe2\x80\x94Office of Audit\n\n\n\n\n                                              DOL NEEDS TO PERFORM ELECTRONIC MEDIA\n                                              SANITIZATION MORE EFFECTIVELY PRIOR TO\n                                              TRANSFER OR DISPOSAL\n\n\n\n\n                                                                  Date Issued: September 30, 2005\n                                                                  Report Number: 23-05-028-50-598\n\x0cU.S. Department of Labor\nOffice of Inspector General\nOffice of Audit                                            September 2005\n\n                                                           DOL Needs To Perform Electronic Media\nBRIEFLY\xe2\x80\xa6                                                   Sanitization More Effectively prior to Transfer or\n                                                           Disposal\nHighlights of Report Number: 23-05-028-50-598, to\nthe Assistant Secretary for Administration and             WHAT OIG FOUND\nManagement / Chief Information Officer.\n                                                           The OIG found that DOL regional office computer\n                                                           hard drives that were ready to be transferred or\nWHY READ THE REPORT                                        disposed of were properly sanitized. The OIG found\nThis report contains information as to the                 that national office computer hard drives that were\neffectiveness of the Department of Labor\xe2\x80\x99s electronic      ready to be transferred or disposed of contained\nmedia sanitization procedures. This report includes        varying combinations of licensed operating system\nfindings and recommendations as to how the                 software, licensed application software, and\nDepartment can better sanitize electronic media            unencrypted data of a sensitive, personal and/or\nprior to its transfer or disposal.                         confidential nature.\n\nWHY OIG DID THE AUDIT                                      WHAT OIG RECOMMENDED\nNews stories show a disturbing trend concerning the        We recommended that the Assistant Secretary for\ndisposal of surplus electronic media. CNET news            Administration and Management take the following\nreported two Massachusetts Institute of Technology         actions:\nstudents purchased 158 used disk drives for less\nthan $1000. These students found 129 disk drives\n                                                              \xe2\x80\xa2   Review the implementation of the\nwere still working, and contained thousands of active\n                                                                  department-wide electronic media\ncredit card numbers, along with pharmaceutical\n                                                                  sanitization policy for uniformity and develop\nrecords, legal correspondence, corporate\n                                                                  verification procedures that include testing.\nmemoranda, and email messages.\n                                                              \xe2\x80\xa2   Coordinate with each Agency\xe2\x80\x99s Information\n                                                                  Technology Security Officer to ensure future\nDuring survey work in 2003, OIG found that 85\n                                                                  IT specific security training includes proper\npercent of the computers that were ready to be\n                                                                  sanitization of electronic media.\ntransferred or disposed of contained varying\ndegrees and combinations of licensed operating                \xe2\x80\xa2   Periodically verify agencies\xe2\x80\x99 effectiveness in\nsystem software, licensed application software, and               sanitizing electronic media to assure\ndata of a sensitive, personal, and/or confidential                adequate security.\nnature. As a result of this survey work, the                  \xe2\x80\xa2   Research emerging technologies as an\nDepartment took immediate corrective action. To                   additional measure to protect DOL\nfollow-up on the correction action taken by the                   information assets.\nDepartment, we initiated the audit and testing of the\nDepartment\xe2\x80\x99s policies and procedures regarding             The Office of the Assistant Secretary for\nelectronic media sanitization.                             Administration and Management generally agreed\n                                                           with the report and has begun taking actions to\nThe objective of our audit was to determine if DOL is      address the findings and recommendations.\neffectively sanitizing surplus electronic media prior to\ntransfer or disposal in order to minimize the risk\nassociated with unintentional release of information.\n\nREAD THE FULL REPORT\nTo view the report, including the scope,\nmethodology, and full agency response, go to:\nhttp://oig.dol.gov/public/reports/oa/2005/23-05-028-\n50-598.pdf\n\x0c                                                                     DOL Needs to Perform Electronic Media\n                                                   Sanitization More Effectively Prior to Transfer or Disposal\n\n\n\n\nTable of Contents\n                                                                                                                    PAGE\n\nEXECUTIVE SUMMARY ................................................................................................ 3\n\n\nASSISTANT INSPECTOR GENERAL\xe2\x80\x99S REPORT ........................................................ 5\n\n    All DOL Regional Office Computer Hard Drives Were Sanitized ......................... 6\n\n    Half of DOL National Office Computer Hard Drives Were Not\n    Properly Sanitized ................................................................................................... 6\n\n\nAPPENDICES ............................................................................................................... 13\n\n    Background ............................................................................................................ 15\n\n    Objective, Scope, Methodology, and Criteria ...................................................... 17\n\n    Acronyms and Abbreviations ............................................................................... 21\n\n    Agency Reponse to Draft Report.......................................................................... 23\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                                                        1\nReport Number: 23-05-028-50-598\n\x0cDOL Needs to Perform Electronic Media\nSanitization More Effectively Prior to Transfer or Disposal\n\n\n\n\n                    PAGE HAS BEEN INTENTIONALLY LEFT BLANK\n\n\n\n\n2                                            U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                                 Report Number: 23-05-028-50-598\n\x0c                                                        DOL Needs to Perform Electronic Media\n                                      Sanitization More Effectively Prior to Transfer or Disposal\n\n\n\n\nExecutive Summary\nWe conducted a performance audit of the Department of Labor (DOL) to determine if\nsurplus electronic media were being effectively sanitized prior to transfer or disposal.\n\nThe results of a limited survey conducted by the Office of Inspector General (OIG) in\n2003, found that 85 percent of the surplus computers tested contained varying degrees\nand combinations of licensed operating system software, licensed application software,\nand data of a sensitive, personal, and/or confidential nature. As a result of the survey,\nthe OIG issued Alert Report Number 23-03-009-04-001, Electronic Media Disposal, to\nthe Chief Information Officer (CIO) on March 27, 2003. In response to that report, the\nCIO took immediate corrective action, declaring a moratorium on the release of surplus\nelectronic media, and updating disposal procedures to address the sanitization of\nelectronic media. To follow up on the corrective action taken by the CIO, we initiated\nthe audit and testing of the Department\xe2\x80\x99s policies and procedures regarding electronic\nmedia sanitization.\n\nWe performed this audit in accordance with Generally Accepted Government Auditing\nStandards issued by the Comptroller General of the United States.\n\nThe objective of our audit was to determine if DOL is effectively sanitizing surplus\nelectronic media prior to transfer or disposal in order to minimize the risk associated\nwith unintentional release of information.\n\n\nResults\n\nWe found:\n\n   1. Regional office agencies\xe2\x80\x99 computer hard drives that were ready to be transferred\n      or disposed of were properly sanitized; and\n\n   2. National office agencies\xe2\x80\x99 computer hard drives that were ready to be transferred\n      or disposed of contained varying degrees and combinations of licensed operating\n      system software, licensed application software, and unencrypted data of a\n      sensitive, personal and/or confidential nature.\n\nWe attribute unsanitized computer hard drives to weaknesses and/or noncompliance\nwith DOL procedures in assuring electronic media are being properly sanitized during\nthe disposal phase of a system\xe2\x80\x99s development life cycle. The DOL and its agencies do\nhave electronic media sanitation policies and procedures to protect licensed computer\nsoftware and electronically stored data from unintentional release during the process of\ntransfer or disposal. However, procedures for sanitizing electronic media allow for\ninconsistencies and/or bypassing certain steps.\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                           3\nReport Number: 23-05-028-50-598\n\x0cDOL Needs to Perform Electronic Media\nSanitization More Effectively Prior to Transfer or Disposal\n\n\n\nRecommendations\n\nWe recommend the Assistant Secretary for Administration and Management (ASAM)\ntake the following actions:\n\n    1. Review the department-wide electronic media sanitization policy for uniformity,\n       develop verification procedures that include testing, and enforce the\n       implementation of the updated procedures throughout the sanitization and\n       disposal process.\n\n    2. Coordinate with each Agency\xe2\x80\x99s Information Technology (IT) Security Officer to\n       ensure future IT-specific security training includes proper sanitization of\n       electronic media.\n\n    3. As a part of the Office of Chief Information Officer\xe2\x80\x99s testing of DOL\xe2\x80\x99s information\n       security program, periodically verify agencies\xe2\x80\x99 effectiveness in sanitizing\n       electronic media to assure adequate security at the disposal phase of a system\xe2\x80\x99s\n       life cycle.\n\nAdditionally, we recommend the ASAM take the following long-term action:\n\n    4. Research emerging technologies, e.g., file encryption software, as an additional\n       measure to protect DOL information assets throughout the Department.\n\n\nOffice of Assistant Secretary of Administration (OASAM) and Management Response\n\nOASAM management provided a written response to the draft report issued\nSeptember 30, 2005. OASAM concurred with the findings and generally agreed with\nthe recommendations. In their response, OASAM provided information on the actions\ntaken to resolve the recommendations.\n\nOIG Conclusion\n\nBased on the OASAM response to the draft report, all four recommendations are\nresolved.\n\nFollowing our recommendations, we have provided management\xe2\x80\x99s written response and\nthe OIG\xe2\x80\x99s conclusion. The OIG\xe2\x80\x99s conclusion specifies the actions that need to be taken\nto close the recommendations.\n\n\n\n\n4                                            U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                                 Report Number: 23-05-028-50-598\n\x0c                                                        DOL Needs to Perform Electronic Media\n                                      Sanitization More Effectively Prior to Transfer or Disposal\n\n\n\n\nU.S. Department of Labor                       Office of Inspector General\n                                               Washington, DC 20210\n\n\n\n\n                         Assistant Inspector General\xe2\x80\x99s Report\n\nPatrick Pizzella\nAssistant Secretary of Administration\n and Management\nChief Information Officer\n\n\nWe conducted a performance audit of the DOL to determine if surplus electronic media\nwere being effectively sanitized prior to transfer or disposal.\n\nDuring our survey work in 2003, we found that 85 percent of the computers that were\nready to be transferred or disposed of contained varying degrees and combinations of\nlicensed operating system software, licensed application software, and data of a\nsensitive, personal, and/or confidential nature. As a result of this survey work, the\nDepartment took immediate corrective action. To follow up on the corrective action\ntaken by the CIO, we initiated the audit and testing of the Department\xe2\x80\x99s policies and\nprocedures regarding electronic media sanitization.\n\nWe tested 24 computer hard drives from the DOL regional offices and 22 computer hard\ndrives from the DOL national offices. In the DOL regional offices, we found electronic\nmedia were properly sanitized. In the national office, we found 11 of the 22 computer\nhard drives tested were not properly sanitized. On those 11 computer hard drives, we\nfound sensitive DOL information, financial information of DOL program participants and\npersonal information as well as licensed DOL software and operating systems.\n\nWe performed this audit in accordance with generally accepted government auditing\nstandards issued by the Comptroller General of the United States.\n\nBackground information pertaining to our audit is detailed in Appendix A. Our audit\nscope, methodology, and criteria are detailed in Appendix B.\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                           5\nReport Number: 23-05-028-50-598\n\x0cDOL Needs to Perform Electronic Media\nSanitization More Effectively Prior to Transfer or Disposal\n\nObjective \xe2\x80\x93 Is the Department of Labor effectively sanitizing surplus electronic\nmedia prior to transfer or disposal in order to minimize the risk associated with\nunintentional release of information?\n\n\nResults and Findings\n\nThe table below shows the number of surplus computer hard drives tested by location,\nand the types of information found to be present.\n\n                              Testing Results by Location\n                                # of        Licensed       Licensed      Sensitive,\n                              Computer      Operating     Application   Personal, or\n                 Office      Hard Drives     System        Software     Confidential\n                Location       Tested        Found          Found       Data Found\n             National             22            11            8              5\n             Philadelphia         6             0             0              0\n             Denver               5             0             0              0\n             Chicago              3             0             0              0\n             Dallas               10            0             0              0\n             TOTALS               46            11            8              5\n\n\n\nAll DOL Regional Office Computer Hard Drives Were Sanitized\n\nOf the 24 computer hard drives tested from the DOL regional offices, we found no\ncomputer hard drives containing sensitive, personal and/or confidential information,\nlicensed operating system, or application software.\n\nHalf of DOL National Office Computer Hard Drives Were Not Properly Sanitized\n\nOf the 22 computer hard drives tested from the DOL national offices, we found 11\ncomputer hard drives contained sensitive, personal and/or confidential information,\nlicensed operating system and/or application software.\n\nFrom the 11 unsanitized computer hard drives, we identified the following:\n\n    \xe2\x80\xa2   11 Licensed Operating Systems: Windows 98 (3), Windows XP (4), Windows NT\n           (3), and Solaris (1)\n\n    \xe2\x80\xa2   8 Licensed Software Applications: MS Office Suite\n\n\n\n\n6                                            U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                                 Report Number: 23-05-028-50-598\n\x0c                                                           DOL Needs to Perform Electronic Media\n                                         Sanitization More Effectively Prior to Transfer or Disposal\n\nAlso, from 5 of the 11 unsanitized computer hard drives, OIG recovered information that\nis considered sensitive, personal, and/or confidential. The types of sensitive, personal\nand/or confidential information included:\n\n   \xe2\x80\xa2   Over 4,000 names and social security numbers of US service men and women\n       who were Job Training Partnership Act clients;\n\n   \xe2\x80\xa2   A draft report of the Department of Labor Critical Asset List, including system\n       name and identification, physical location of system, function of system, and\n       summary of impact if system becomes unavailable;\n\n   \xe2\x80\xa2   An Employment Standards Administration (ESA) Voucher and Schedule of\n       Payments for Federal Employees\xe2\x80\x99 Compensation Act (FECA) recipients, dated\n       7/26/2002. This report includes recipient name, address, banking account\n       number, bank routing number, and amount of FECA check received for hundreds\n       of recipients;\n\n   \xe2\x80\xa2   A personal resume;\n\n   \xe2\x80\xa2   A file containing an employee\xe2\x80\x99s system user ID and password; and\n\n   \xe2\x80\xa2   A phone and address contact list for a Boy Scout troop.\n\nThe table below shows, by agency, the surplus computer hard drives OIG tested and\nthe three types of information found to be present.\n\n\n                             Testing Results by Agency\n                              # of         Licensed       Licensed       Sensitive,\n                            Computer       Operating     Application    Personal, or\n                           Hard Drives      System        Software      Confidential\n                Agency       Tested         Found          Found        Data Found\n            OASAM              21               4              3              1\n            ETA                 2              1               0              1\n            OIG                 5              0               0              0\n            MSHA                1              1               0              0\n            ESA                17               5              5              3\n            TOTALS             46              11              8              5\n\n\n\nOIG\xe2\x80\x99s testing results demonstrated that there are weaknesses with the Department\xe2\x80\x99s\nprocedures to assure electronic media are being properly sanitized during the disposal\nphase of a system\xe2\x80\x99s life cycle.\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                              7\nReport Number: 23-05-028-50-598\n\x0cDOL Needs to Perform Electronic Media\nSanitization More Effectively Prior to Transfer or Disposal\n\nWe attribute unsanitized computer hard drives to the weaknesses and/or\nnoncompliance with DOL procedures in assuring electronic media are being properly\nsanitized. Specifically, procedures for sanitizing electronic media allow for\ninconsistencies and/or bypassing certain steps, verification procedures are not working\nas designed, agencies are not properly transferring media to OASAM, and there is no\nrequirement for training personnel. The following identify examples of the weaknesses:\n\n    \xe2\x80\xa2    In evaluating departmental procedures, we reviewed a departmental\n         memorandum dated January 26, 2005, reminding agencies of DOL procedures\n         for disposing of computers and electronic media. In this memorandum there are\n         different procedures for Departmental Management (DM) agencies1, non-DM\n         agencies2 in the Frances Perkins Building, and other non-DM agencies not\n         located in the Frances Perkins Building. Each of these three groups has distinct\n         processes and procedures to follow, which allow for inconsistencies and/or\n         bypassing certain steps at the national and regional offices. For DM agencies,\n         the Computer Technology Center (CTC) is the responsible organization for\n         sanitizing departmental agencies\xe2\x80\x99 electronic media. The memorandum also\n         established that the CTC is responsible for completing verification of the\n         sanitization\xe2\x80\x99s effectiveness. Establishing the CTC to be responsible for both\n         sanitizing and verifying its own work led to the transfer and disposal of electronic\n         media that contains inappropriate information.\n\n    \xe2\x80\xa2    The same memorandum additionally states, as part of the disposal process,\n         agencies are required to document the sanitization of electronic media prior to its\n         transfer or disposal using the Electronic Media Disposal Sanitation Certificate\n         (DL1-55A)3. Of the eight agencies\xe2\x80\x99 policies and procedures4 we reviewed,\n         procedures for two agencies, MSHA and ESA, specify the use of in-house forms\n         rather than the use of the official form, DL1-55A. One agency, BLS, does not\n         document the sanitization of electronic media prior to transfer or disposal.\n\n    \xe2\x80\xa2    Prior to the January 26, 2005 memorandum, surplus computers were being\n         transferred to the Business Operations Center (BOC) for disposal without the\n         required disposition documentation. Of the 12 computers we selected from the\n         Frances Perkins Building loading dock for testing; only 5 had complete\n         documentation. BOC management acknowledged that 7 of the 12 computers\n         selected were machines that were transferred to BOC for disposal without proper\n         documentation. In addition, after the memorandum was issued, additional\n\n1\n  DM agencies are defined as agencies that utilize the services of Office of Assistant Secretary for Administration\n(OASAM) and Management for technical support, e.g., Office of Chief Financial Officer, Office of the Solicitor,\nWomen\xe2\x80\x99s Bureau, and OASAM.\n2\n  Non-DM agencies are defined as agencies that maintain their own technology support staff: Occupational Safety\nand Health, Bureau of Labor Statistics, Office of Inspector General, Employment Training Administration, and\nEmployment Standards Administration.\n3\n  This is not a new requirement; the memorandum reiterates and clarifies procedures previously issued by the\nDepartment of Labor Management Series.\n4\n  There are eight agencies in the department with policy and procedures for the sanitizing and disposal of electronic\nmedia, they are: OASAM, BLS, EBSA, ESA, ETA, MSHA, OIG, and OSHA.\n\n8                                                   U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                                        Report Number: 23-05-028-50-598\n\x0c                                                        DOL Needs to Perform Electronic Media\n                                      Sanitization More Effectively Prior to Transfer or Disposal\n\n       computers containing unsanitized computer hard drives were found in DOL\n       hallways.\n\n   \xe2\x80\xa2   OASAM personnel stated that staff responsible for the proper sanitization of\n       electronic media were not getting the necessary training.\n\nThe Federal Information Security Management Act (FISMA) of 2002 requires agencies\nto:\n      . . . (b) Agency Program. . . (C) ensure that information security is\n      addressed throughout the life cycle of each agency information system. . . .\n\nNational Institute of Standards and Technology (NIST) Guidance, Special Publication\n800-26, establishes:\n\n       . . . Like other aspects of an IT system, security is best managed if\n       planned for throughout the IT system life cycle [emphasis added].\n       There are many models for the IT system life cycle but most contain five\n       basic phases: initiation, development/acquisition, implementation,\n       operation, and disposal [emphasis added]. . . .\n\nThe Department of Labor Manual Series, (DLMS) 9 \xe2\x80\x93 Information Technology, Chapter\n300, Management and Accountability of Information Resources, section 306 C (11),\npage 9, states that Agency Heads are responsible to:\n\n       Document that appropriate measures have been taken to protect against\n       unintentional release of DOL information when information resources are\n       processed through excess property procedures or donated outside of\n       DOL.\n\nAdditionally, the DLMS 2 \xe2\x80\x93 Administration, Chapter 100, DOL Property Management,\nsection 108 D (4), page 17 states:\n\n       Electronic Media Disposal Sanitation Certificate (DL[1-]55A) must be\n       completed for all sanitized electronic media.\n\nThe DLMS 9 - Information Technology, section 407 A, pages 4-8 states that the CIO:\n\n       . . . must develop and implement the Department-wide ISS [Information\n       System Security] program and ensure that agencies are carrying out\n       agency-wide ISS programs.\n\nThe manual further states that the CIO is responsible to:\n\n       . . . develop and/or oversee development of:\n\n          \xe2\x80\xa2   Information technology policies;\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                           9\nReport Number: 23-05-028-50-598\n\x0cDOL Needs to Perform Electronic Media\nSanitization More Effectively Prior to Transfer or Disposal\n\n           \xe2\x80\xa2   Standards, plans and guidance;\n           \xe2\x80\xa2   Architectures, processes, and methodologies\n\n        that ensure all information stored, disseminated, or transmitted by\n        DOL-owned information systems or by other systems provided for DOL\n        use under contract or subcontract is properly safeguarded against\n        unauthorized access, use modification, destruction, or denial of service\n        through he integration of management, operational, and technical controls.\n\nOASAM memorandum, Reminder: Disposing of Computers and Electronic Media,\ndated January 26, 2005, states that any electronic media transferred to OASAM for\ndisposal must be accompanied by a DL1-55A Electronic Media Sanitization Disposal\nCertificate that has been signed by the appropriate agency official. The memorandum\nalso states that,\n\n        . . . at no time should CPUs or other electronic media be left unattended in\n        common areas, such as hallways. Instead, it must be stored in the\n        internal office space of the DOL Agency to which it is assigned until it has\n        been disposed of properly.\n\nWithout implementing and following consistent sanitization procedures and establishing\na sound verification process that includes testing across the Department, adequate\nsanitization of electronic media cannot be assured and may lead to intentional and/or\nunintentional release of information, which may compromise the Department\xe2\x80\x99s security\nof its infrastructure, information assets, employees, and the public\xe2\x80\x99s trust.\n\n\nRecommendations\n\nWe recommend the ASAM take the following actions:\n\n     1. Review the department-wide electronic media sanitization policy for uniformity,\n        develop verification procedures that include testing, and enforce the\n        implementation of the updated procedures throughout the sanitization and\n        disposal process.\n\n     2. Coordinate with each Agency\xe2\x80\x99s Information Technology (IT) Security Officer to\n        ensure future IT-specific security training includes proper sanitization of\n        electronic media.\n\n     3. As a part of the Office of Chief Information Officer\xe2\x80\x99s testing of DOL\xe2\x80\x99s information\n        security program, periodically verify agencies\xe2\x80\x99 effectiveness in sanitizing\n        electronic media to assure adequate security at the disposal phase of a system\xe2\x80\x99s\n        life cycle.\n\n\n\n10                                           U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                                 Report Number: 23-05-028-50-598\n\x0c                                                        DOL Needs to Perform Electronic Media\n                                      Sanitization More Effectively Prior to Transfer or Disposal\n\nAdditionally, we recommend the ASAM take the following long-term action:\n\n   4. Research emerging technologies, e.g., file encryption software, as an additional\n      measure to protect DOL information assets throughout the Department.\n\n\n\nAgency Response\n\nOASAM management submitted to OIG their comments on the draft report. These\ncomments were embedded into the draft report by OASAM and forwarded to OIG as an\nattachment to the Deputy Assistant Secretary for Operations, September 30, 2005,\nmemorandum to the Assistant Inspector General for Audit. The comments are\nexcerpted below.\n\n   1. OASAM management agrees with the first recommendation. The OASAM Office\n      of the Chief Information Officer (OCIO) will review the Department\xe2\x80\x99s policies for\n      electronic media sanitization to ensure consistency in the implementation of\n      procedures throughout the agencies. Since the initial audit in December 2004,\n      the Department has revised and implemented new procedures for sanitizing\n      electronic media and its tracking disposal. Additionally, further guidelines have\n      been drafted to ensure that procedures are consistent and that periodic reviews\n      are performed to ensure that electronic media are properly sanitized and that all\n      data are no longer retrievable. These guidelines will be issued in the first quarter\n      of FY 2006.\n\n   2. OASAM management agrees with the second recommendation. The OCIO\n      provided training on electronic media protection and sanitization in the FY \xe2\x80\x9905\n      Computer Security Awareness and Training (CSAT) required for all DOL\n      employees. Additionally, the users identified as having significant security\n      responsibilities were required to take supplementary training via the USA\n      Learning Karta library, which contains more specific information with respect to\n      electronic media sanitization. In consultation with each Agency\xe2\x80\x99s Information\n      Technology (IT) Security Officer, the OCIO will review the planned curriculum for\n      the FY \xe2\x80\x9906 CSAT to ensure that the topic continues to be adequately covered.\n\n   3. OASAM management agrees with the third recommendation. Updated\n      guidelines have been drafted for electronic media sanitization. The guidelines\n      specify that the Agency Information Security Officers (ISOs) are to perform\n      periodic verification of media sanitization and that testing be performed based on\n      the sensitivity of the data resident on the system or media. The guidance further\n      calls for separation of duties between the Agency ISO and the staff performing\n      the media sanitization process so that verification is an independent function. In\n      addition, the OCIO will periodically evaluate the effectiveness of the electronic\n      media sanitization policy and guidelines implementation. The updated guidelines\n      will be issued in the first quarter of FY 2006.\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                          11\nReport Number: 23-05-028-50-598\n\x0cDOL Needs to Perform Electronic Media\nSanitization More Effectively Prior to Transfer or Disposal\n\n\n\n     4. OASAM Management agrees with the fourth recommendation and has an\n        existing process that is well adapted to its implementation. Emerging\n        technologies are reviewed and approved by the Technical Review Board (TRB)\n        and its Subcommittees \xe2\x80\x93 Enterprise Architecture Subcommittee (EASC), IT\n        Security Subcommittee (ITSSC) and the IT Architecture Subcommittee (ITASC).\n        The ITASC proactively researches the industry to ensure the Department is\n        abreast of new and emerging technologies. The ITASC is then responsible for\n        providing recommendations to the EASC regarding the impact of the emerging\n        technology on the Department\xe2\x80\x99s infrastructure. The ITSSC and the EASC review\n        the technology from a security and overall infrastructure perspective to ensure\n        there are no security risks associated with it\xe2\x80\x99s implementation and to ensure that\n        the technology fits into the Department\xe2\x80\x99s and the Federated EA, which includes\n        the use of secure technologies and standards. The TRB and its subcommittees\n        are all comprised of representatives from each agency as well as advisors from\n        each OCIO program area \xe2\x80\x93 Security, Capital Planning, and Enterprise\n        Architecture. This existing representative body will continue to implement the\n        governance process, referenced above, that ensures compliance to\n        recommendation four.\n\n\nOIG Conclusion\n\nBased on the OASAM response to the draft report, all four recommendations are\nresolved.\n\nTo close recommendation 1 and recommendation 3, OASAM should provide the new\nguidelines to the OIG for testing to ensure the guidelines reduce the risk of unsanitized\nelectronic media from leaving the Department.\n\nTo close recommendation 2, OASAM should provide the OIG access to review the\nFY \xe2\x80\x9906 CSAT to ensure that the topic is adequately covered.\n\nTo close recommendation 4, OASAM should provide documentation of the TRB and\nsubcommittee research of products for securing information at the desktop level, such\nas file level encryption.\n\n\n\n\nElliot P. Lewis\nAugust 26, 2005\n\n\n\n\n12                                           U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                                 Report Number: 23-05-028-50-598\n\x0c                                                        DOL Needs to Perform Electronic Media\n                                      Sanitization More Effectively Prior to Transfer or Disposal\n\n\n\n\nAppendices\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                          13\nReport Number: 23-05-028-50-598\n\x0cDOL Needs to Perform Electronic Media\nSanitization More Effectively Prior to Transfer or Disposal\n\n\n\n\n                    PAGE HAS BEEN INTENTIONALLY LEFT BLANK\n\n\n\n\n14                                           U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                                 Report Number: 23-05-028-50-598\n\x0c                                                        DOL Needs to Perform Electronic Media\n                                      Sanitization More Effectively Prior to Transfer or Disposal\n\n                                                                                 APPENDIX A\nBACKGROUND\n\n\nCurrent news stories show a disturbing trend concerning the disposal of surplus\nelectronic media. CNET news reported two Massachusetts Institute of Technology\nstudents purchased 158 used disk drives for less than $1,000. These students found\n129 disk drives were still working, and contained thousands of credit card numbers,\nmedical records, and detailed personal and financial information. The Washington Post\nrecently published an article stating 40 million computers became obsolete in 2001.\nMany of these obsolete computers are being shipped to foreign countries. In the past,\nreports have surfaced that federal agencies have disposed of surplus electronic media\nwithout taking appropriate measures to erase the information stored on the media. This\ncan lead to disclosure of sensitive information, embarrassment to the agency, costly\ninvestigations, and other avoidable consequences.\n\nIn 2003, we conducted a survey of electronic media disposal in the Department of\nLabor. We tested 21 surplus computers from the OASAM loading docks at the national\noffice, and found that 85 percent of them contained licensed software and/or\nrecoverable data.\n\nFederal Regulations mandate that government agencies protect data maintained about\nindividual citizens from unauthorized release. Policies and procedures should be\nestablished to protect DOL licensed software and sensitive data stored on electronic\nmedia before release, transfer, or disposal. Our survey work during the planning phase\nindicated that DOL management had not established or implemented policies and\nprocedures sufficiently specific to prevent the unintentional release of licensed software\nand sensitive data stored on electronic media. On March 27, 2003, an Alert Report was\nissued to the CIO recommending a moratorium on the release of surplus computers\nuntil hard disk drives could be sufficiently sanitized. We also recommended the CIO\nupdate policy and provide guidance to the agencies in this area. In response to that\nreport, the CIO took immediate corrective action, declaring a moratorium on the release\nof surplus electronic media, and updating disposal procedures to address the\nsanitization of electronic media.\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                          15\nReport Number: 23-05-028-50-598\n\x0cDOL Needs to Perform Electronic Media\nSanitization More Effectively Prior to Transfer or Disposal\n\n\n\n\n                    PAGE HAS BEEN INTENTIONALLY LEFT BLANK\n\n\n\n\n16                                           U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                                 Report Number: 23-05-028-50-598\n\x0c                                                        DOL Needs to Perform Electronic Media\n                                      Sanitization More Effectively Prior to Transfer or Disposal\n\n                                                                                 APPENDIX B\nOBJECTIVE, SCOPE, METHODOLOGY, AND CRITERIA\n\n\n\nObjective\n\nThe following is the objective of the audit:\n\n   Is the Department of Labor effectively sanitizing surplus electronic media prior to\n   transfer or disposal in order to minimize the risk associated with unintentional\n   release of information?\n\n\nScope\n\nOur audit included a departmental level review of the sanitization and disposal of\nelectronic media by agencies. We made a judgmental selection of electronic media that\nwas being processed for disposal. We tested the disposed electronic media to\ndetermine if it was sanitized. If we determined that it was not sanitized, we performed\nadditional tests to identify if there were any 1) licensed operations system, 2) licensed\napplication system and 3) sensitive, personal or confidential information on the\nelectronic media.\n\nAudit fieldwork was conducted from December 21, 2004 through August 26, 2005, at\nDOL Headquarters in the Frances Perkins Building in Washington, DC, and at DOL\nregional offices.\n\n\nMethodology\n\nWe conducted our audit in accordance with Generally Accepted Government Auditing\nStandards, issued by the Comptroller General of the United States, and included tests\non internal controls, as we considered necessary, to satisfy the objectives of the audit.\n\nWe acquired electronic media deemed for disposal from various sources and locations\nin DOL to determine if sanitation had occurred. We performed further analysis of DOL\nand its agencies\xe2\x80\x99 policies and procedures for compliance with Federal and its own\npolicies and procedures.\n\nWe made a judgmental selection of electronic media that was being processed for\ndisposal. In some instances, DOL employees contacted us when electronic media was\ntransferred or disposed. We judgmentally selected the media based upon size and\nlocation of the disposed media. In addition, we selected media we found abandoned in\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                          17\nReport Number: 23-05-028-50-598\n\x0cDOL Needs to Perform Electronic Media\nSanitization More Effectively Prior to Transfer or Disposal\n\nhallways. Our sampling was selected in this manner due to the infrequent disposal of\nmedia and the decentralization of DOL.\n\nFrom those samples, we tested the media using procedures known as a keyboard\nattack, which consists of recovering information using tools and software that is readily\navailable to any user.\n\nTo understand the Federal and DOL requirements of electronic media sanitization and\ndisposal process, we obtained an understanding of the information listed in the criteria\nsection.\n\nWe reviewed OASAM policies and procedures related to the disposal of surplus\nelectronic media. We also reviewed the policies and procedures of the departmental\nagencies to ensure compliance with DOL policy.\n\n\n\n\n18                                           U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                                 Report Number: 23-05-028-50-598\n\x0c                                                        DOL Needs to Perform Electronic Media\n                                      Sanitization More Effectively Prior to Transfer or Disposal\n\nCriteria\n\nWe used the following criteria to perform this audit:\n\n   \xe2\x80\xa2   Government Accountability Office manual, Federal Information System Controls\n       Audit Manual (FISCAM)\n   \xe2\x80\xa2   Federal Information Security Management Act 0f 2002 (FISMA)\n   \xe2\x80\xa2   DLMS 2 Administration, Chapter 100 \xe2\x80\x93 DOL Property Management.\n   \xe2\x80\xa2   DLMS 9 Information Technology, Chapter 400 \xe2\x80\x93 Security\n   \xe2\x80\xa2   DLMS 9 Information Technology, Chapter 300 \xe2\x80\x93 Management and Accountability\n       of Information Resources\n   \xe2\x80\xa2   Department of Labor Systems Development Lifecycle Management Manual,\n       version 2.1\n   \xe2\x80\xa2   Department of Labor Information Technology Center Standard Operating\n       Procedure: Media Sanitation for Surplus Equipment, National Office ECN\n   \xe2\x80\xa2   OASAM memorandum: Reminder: Disposing of Computers and Electronic\n       Media, dated January 26, 2005\n   \xe2\x80\xa2   NIST Special Publication 800-64 Rev. 1, Security Considerations in the\n       Information System Development Life Cycle\n   \xe2\x80\xa2   NIST Special Publication 800-12, An Introduction to Computer Security: The\n       NIST Handbook\n   \xe2\x80\xa2   NIST Special Publication 800-26, Self-Assessment Guide for Information\n       Technology Systems\n   \xe2\x80\xa2   Public Law 93-579, 5 U.S.C. 552a, The Privacy Act of 1974\n   \xe2\x80\xa2   Department of Labor Computer Security Handbook, version 2.0\n   \xe2\x80\xa2   NIST Media Sanitization Procedures\n   \xe2\x80\xa2   NIST Special Publication 800-18, Guide for Developing Security Plans For\n       Information Technology Systems\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                          19\nReport Number: 23-05-028-50-598\n\x0cDOL Needs to Perform Electronic Media\nSanitization More Effectively Prior to Transfer or Disposal\n\n\n\n\n                     PAGE HAS BEEN INTENTIONALLY LEFT BLANK\n\n\n\n\n20                                           U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                                 Report Number: 23-05-028-50-598\n\x0c                                                        DOL Needs to Perform Electronic Media\n                                      Sanitization More Effectively Prior to Transfer or Disposal\n\n                         APPENDIX C\nACRONYMS AND ABBREVIATIONS\n\n\n\nBLS               Bureau of Labor Statistics\nBOC               Business Operations Center, OASAM\nCIO               Chief Information Officer\nCTC               Computer Technology Center\nDOL               Department of Labor\nEBSA              Employee Benefits Security Administration\nECAB              Employees\xe2\x80\x99 Compensation Administration Board\nESA               Employment Standards Administration\nETA               Employment and Training Administration\nFECA              Federal Employees\xe2\x80\x99 Compensation Act\nFISMA             Federal Information Security Management Act\nFISCAM            Federal Information System Controls Audit Manual\nMSHA              Mine Safety and Health Administration\nNIST              National Institute of Standards and Technology\nOASAM             Office of the Assistant Secretary of Administration and Management\nOIG               Office of Inspector General\nOSHA              Occupational Safety and Health Administration\nSOL               Office of the Solicitor\nWB                Women\xe2\x80\x99s Bureau\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                          21\nReport Number: 23-05-028-50-598\n\x0cDOL Needs to Perform Electronic Media\nSanitization More Effectively Prior to Transfer or Disposal\n\n\n\n\n                     PAGE HAS BEEN INTENTIONALLY LEFT BLANK\n\n\n\n\n22                                           U.S. Department of Labor\xe2\x80\x94Office of Inspector General\n                                                                 Report Number: 23-05-028-50-598\n\x0c                                                        DOL Needs to Perform Electronic Media\n                                      Sanitization More Effectively Prior to Transfer or Disposal\n\n\n\n                                                                                 APPENDIX D\nAGENCY RESPONSE TO DRAFT REPORT\n\n\n\n\nU.S. Department of Labor\xe2\x80\x94Office of Inspector General                                          23\nReport Number: 23-05-028-50-598\n\x0c'